#!/bin/bash

vpn_path="/data/wangleitest/vpn/file"
client_name=$1
client_addr=$2
client_pass="clientpass"
client_path=$vpn_path/$client_name
client_key_path=$client_path/${client_name}_key
client_package_path=$vpn_path/package
client_module_path=$vpn_path/modules
vpn_easyrsa_path="$vpn_path/easy-rsa/easyrsa3"
client_easyrsa_path="$client_path/easy-rsa-master/easyrsa3"

openvpn_host="192.168.10.97"
openvpn_path="/etc/openvpn/ccd"
openvpn_net="192.168.20"
openvpn_iptables="/etc/sysconfig/iptables"

# 获取未分配的地址
function get_avaiable_addr() {
    used_ip_list=$(ssh root@$openvpn_host "find $openvpn_path -type f|xargs grep ifconfig-push"|grep $openvpn_net|awk '{if($2~/'$openvpn_net'/) print $2}')
    for i in {10..254}
    do
        echo $used_ip_list | grep -qw $openvpn_net.$i --color
        if [ $? -ne 0 ]; then
            echo "$openvpn_net.$i"
            break
        fi
    done
}


# 添加iptables白名单
function add_iptables_rule() {
    line=$(ssh root@$openvpn_host "cat /etc/sysconfig/iptables"|grep $client_addr|wc -l)
    if [ $line -eq 0 ]; then
        ssh root@$openvpn_host "sed -i '/REJECT/i\-A RH-Firewall-1-INPUT -s $client_addr -m state --state NEW -j ACCEPT' $openvpn_iptables"
        ssh root@$openvpn_host "systemctl restart iptables"
    fi
}


# 添加openvpn ccd配置
function add_openvpn_ccd() {
    cat $vpn_path/ccd | sed "s/127.0.0.1/$1/" > $vpn_path/${client_name}_ccd
    scp $vpn_path/${client_name}_ccd root@$openvpn_host:$openvpn_path/$client_name
    rm -f $vpn_path/${client_name}_ccd
}


# 生成客户端配置
function create_openvpn_client() {
    if [ -f $vpn_easyrsa_path/pki/reqs/${client_name}.req ];then
        echo "key 已存在"
        exit
    fi

    mkdir -p $client_key_path $client_package_path
    cp $vpn_path/master $client_path/
    unzip  $client_path/master -d $client_path/ &>/dev/null
    cp $client_easyrsa_path/vars.example $client_easyrsa_path/vars
    cd $client_easyrsa_path

    # 创建证书 init-pki
    sh easyrsa init-pki
    echo -e "\n\n########################## easyrsa gen-req ##########################"
    /usr/bin/expect <<-EOF
    set time 30
    spawn sh easyrsa gen-req $client_name
    expect {
    "Enter PEM pass phrase:" { send "raycloud\r"; exp_continue }
    "Verifying - Enter PEM pass phrase:" { send "raycloud\r"; exp_continue }
    "*your user, host, or server name*" { send "$client_name\r" }
    }
    expect eof
EOF

    # 创建证书 import-req
    cd $vpn_easyrsa_path
    echo -e "\n\n########################## easyrsa import-req ##########################"
    sh easyrsa import-req $client_easyrsa_path/pki/reqs/$client_name.req $client_name

    # 创建证书 sign client
    echo -e "\n\n########################## easyrsa sign client ##########################"
    /usr/bin/expect <<-EOF
    set time 30
    spawn sh easyrsa sign client $client_name
    expect {
    "*Confirm request details*" { send "yes\r"; exp_continue }
    "*Enter pass phrase for*" { send "raycloud\r" }
    }
    expect eof
EOF

    # 客户端配置打包
    echo $vpn_path/easy-rsa/easyrsa3/pki/ca.crt
    cp $vpn_easyrsa_path/pki/ca.crt $client_key_path/
    cp $vpn_easyrsa_path/pki/issued/$client_name.crt $client_key_path/
    cp $client_easyrsa_path/pki/private/$client_name.key $client_key_path/
    cd $client_path
    tar zcf ${client_name}_key.tgz ${client_name}_key
    mv ${client_name}_key.tgz $client_package_path/
    rm -rf $client_key_path

    # 配置openvpn服务端ccd
    openvpn_client_addr=$(get_avaiable_addr)
    add_openvpn_ccd $openvpn_client_addr

    # 添加防火墙规则
    add_iptables_rule

    # 下发客户端配置
    cp -rf $client_module_path $vpn_path/${client_name}_modules
    #sed "s/openvpn_name/${client_name}/g" $vpn_path/${client_name}_modules/openvpn.ovpn
    cp $client_package_path/${client_name}_key.tgz $vpn_path/${client_name}_modules/
    cd $vpn_path
    tar zcf ${client_name}_modules.tgz ${client_name}_modules
    rm -rf ${client_name}_modules
    rm -rf ${client_name}

    sshpass -p "$client_pass" scp -o StrictHostKeyChecking=no ${client_name}_modules.tgz root@$client_addr:/root/
    sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "cd /root; tar zxf ${client_name}_modules.tgz"
    sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "cd /root/${client_name}_modules; sh install.sh /root/${client_name}_modules/${client_name}_key.tgz"
    sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "cp /root/${client_name}_modules/openvpn_start.sh /root/.openvpn_start.sh"
    sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "chmod +x /root/.openvpn_start.sh"
    sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "chmod +x /etc/rc.d/rc.local"
    rm -f ${client_name}_modules.tgz

    # 开机自启动
    line=$(sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "cat /etc/rc.d/rc.local"|grep openvpn|wc -l)
    if [ $line -eq 0 ]; then
        sshpass -p "$client_pass" ssh -o StrictHostKeyChecking=no root@$client_addr "echo -e '\n#openvpn autostart\n/root/.openvpn_start.sh' >> /etc/rc.d/rc.local"
    fi

    sleep 3
    echo "$client_addr,$openvpn_client_addr" >> $vpn_path/openvpn_info

}





create_openvpn_client
